Annamalai Narayanan,Mahinthan Chandramohan,Lihui Chen,Yang Liu

DOI: https://doi.org/10.48550/arXiv.1706.00947

2017-07-06

Abstract:It is well-known that Android malware constantly evolves so as to evade detection. This causes the entire malware population to be non-stationary. Contrary to this fact, most of the prior works on Machine Learning based Android malware detection have assumed that the distribution of the observed malware characteristics (i.e., features) does not change over time. In this work, we address the problem of malware population drift and propose a novel online learning based framework to detect malware, named CASANDRA (Contextaware, Adaptive and Scalable ANDRoid mAlware detector). In order to perform accurate detection, a novel graph kernel that facilitates capturing apps' security-sensitive behaviors along with their context information from dependency graphs is proposed. Besides being accurate and scalable, CASANDRA has specific advantages: i) being adaptive to the evolution in malware features over time ii) explaining the significant features that led to an app's classification as being malicious or benign. In a large-scale comparative analysis, CASANDRA outperforms two state-of-the-art techniques on a benchmark dataset achieving 99.23% F-measure. When evaluated with more than 87,000 apps collected in-the-wild, CASANDRA achieves 89.92% accuracy, outperforming existing techniques by more than 25% in their typical batch learning setting and more than 7% when they are continuously retained, while maintaining comparable efficiency.

Cryptography and Security,Machine Learning,Software Engineering

Ali Muzaffar,Hani Ragab Hassen,Hind Zantout,Michael A Lones

2024-01-30

Abstract:The growing popularity of Android requires malware detection systems that can keep up with the pace of new software being released. According to a recent study, a new piece of malware appears online every 12 seconds. To address this, we treat Android malware detection as a streaming data problem and explore the use of active online learning as a means of mitigating the problem of labelling applications in a timely and cost-effective manner. Our resulting framework achieves accuracies of up to 96\%, requires as little of 24\% of the training data to be labelled, and compensates for concept drift that occurs between the release and labelling of an application. We also consider the broader practicalities of online learning within Android malware detection, and systematically explore the trade-offs between using different static, dynamic and hybrid feature sets to classify malware.

Cryptography and Security,Artificial Intelligence

Xin Su,Dafang Zhang,Wenjia Li,Kai Zhao

DOI: https://doi.org/10.1109/TrustCom.2016.69

2016-01-01

Abstract:The growing amount and diversity of Android malware has significantly weakened the effectiveness of the conventional defense mechanisms, and thus Android platform often remains unprotected from new and unknown malware. To address these limitations, we propose DroidDeep, a malware detection approach for the Android platform based on the deep learning model. Deep learning emerges as a new area of machine learning research that has attracted increasing attention in artificial intelligence. To implement this, we first extract five types of features from the static analysis of Android apps. Then, we build the deep learning model to learn features from Android apps. Finally, the learned features are used to detect unknown Android malware. In an experiment with 3,986 benign apps and 3,986 malware, DroidDeep outperforms several existing malware detection approaches and achieves a 99.4% detection accuracy. Moreover, DroidDeep can achieve a remarkable run-time efficiency which makes it very easy to adapt to a lager scale of real-world Android malware detection.

Yizheng Chen,Zhoujie Ding,David Wagner

2023-06-15

Abstract:Machine learning methods can detect Android malware with very high accuracy. However, these classifiers have an Achilles heel, concept drift: they rapidly become out of date and ineffective, due to the evolution of malware apps and benign apps. Our research finds that, after training an Android malware classifier on one year's worth of data, the F1 score quickly dropped from 0.99 to 0.76 after 6 months of deployment on new test samples. In this paper, we propose new methods to combat the concept drift problem of Android malware classifiers. Since machine learning technique needs to be continuously deployed, we use active learning: we select new samples for analysts to label, and then add the labeled samples to the training set to retrain the classifier. Our key idea is, similarity-based uncertainty is more robust against concept drift. Therefore, we combine contrastive learning with active learning. We propose a new hierarchical contrastive learning scheme, and a new sample selection technique to continuously train the Android malware classifier. Our evaluation shows that this leads to significant improvements, compared to previously published methods for active learning. Our approach reduces the false negative rate from 14% (for the best baseline) to 9%, while also reducing the false positive rate (from 0.86% to 0.48%). Also, our approach maintains more consistent performance across a seven-year time period than past methods.

Cryptography and Security,Artificial Intelligence

Mohammed K. Alzaylaee,Suleiman Y. Yerima,Sakir Sezer

DOI: https://doi.org/10.1016/j.cose.2019.101663

2019-11-23

Abstract:The Android operating system has been the most popular for smartphones and tablets since 2012. This popularity has led to a rapid raise of Android malware in recent years. The sophistication of Android malware obfuscation and detection avoidance methods have significantly improved, making many traditional malware detection methods obsolete. In this paper, we propose DL-Droid, a deep learning system to detect malicious Android applications through dynamic analysis using stateful input generation. Experiments performed with over 30,000 applications (benign and malware) on real devices are presented. Furthermore, experiments were also conducted to compare the detection performance and code coverage of the stateful input generation method with the commonly used stateless approach using the deep learning system. Our study reveals that DL-Droid can achieve up to 97.8% detection rate (with dynamic features only) and 99.6% detection rate (with dynamic + static features) respectively which outperforms traditional machine learning techniques. Furthermore, the results highlight the significance of enhanced input generation for dynamic analysis as DL-Droid with the state-based input generation is shown to outperform the existing state-of-the-art approaches.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Zhenlong Yuan,Yongqiang Lu,Yibo Xue

DOI: https://doi.org/10.1109/tst.2016.7399288

2016-01-01

Tsinghua Science & Technology

Abstract:Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine (DroidDetector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test DroidDetector and perform an indepth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. DroidDetector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Weina Niu,Rong Cao,Xiaosong Zhang,Kangyi Ding,Kaimeng Zhang,Ting Li

DOI: https://doi.org/10.3390/s20133645

2020-06-29

Abstract:Due to the openness of an Android system, many Internet of Things (IoT) devices are running the Android system and Android devices have become a common control terminal for IoT devices because of various sensors on them. With the popularity of IoT devices, malware on Android-based IoT devices is also increasing. People's lives and privacy security are threatened. To reduce such threat, many researchers have proposed new methods to detect Android malware. Currently, most malware detection products on the market are based on malware signatures, which have a fast detection speed and normally a low false alarm rate for known malware families. However, they cannot detect unknown malware and are easily evaded by malware that is confused or packaged. Many new solutions use syntactic features and machine learning techniques to classify Android malware. It has been known that analysis of the Function Call Graph (FCG) can capture behavioral features of malware well. This paper presents a new approach to classifying Android malware based on deep learning and OpCode-level FCG. The FCG is obtained through static analysis of Operation Code (OpCode), and the deep learning model we used is the Long Short-Term Memory (LSTM). We conducted experiments on a dataset with 1796 Android malware samples classified into two categories (obtained from Virusshare and AndroZoo) and 1000 benign Android apps. Our experimental results showed that our proposed approach with an accuracy of 97 % outperforms the state-of-the-art methods such as those proposed by Nikola et al. and Hou et al. (IJCAI-18) with the accuracy of 97 % and 91 % , respectively. The time consumption of our proposed approach is less than the other two methods.

ElMouatez Billah Karbab,Mourad Debbabi

DOI: https://doi.org/10.48550/arXiv.2105.13491

2021-05-28

Abstract:Android malware detection is a significat problem that affects billions of users using millions of Android applications (apps) in existing markets. This paper proposes PetaDroid, a framework for accurate Android malware detection and family clustering on top of static analyses. PetaDroid automatically adapts to Android malware and benign changes over time with resilience to common binary obfuscation techniques. The framework employs novel techniques elaborated on top of natural language processing (NLP) and machine learning techniques to achieve accurate, adaptive, and resilient Android malware detection and family clustering. PetaDroid identifies malware using an ensemble of convolutional neural network (CNN) on proposed Inst2Vec features. The framework clusters the detected malware samples into malware family groups utilizing sample feature digests generated using deep neural auto-encoder. For change adaptation, PetaDroid leverages the detection confidence probability during deployment to automatically collect extension datasets and periodically use them to build new malware detection models. Besides, PetaDroid uses code-fragment randomization during the training to enhance the resiliency to common obfuscation techniques. We extensively evaluated PetaDroid on multiple reference datasets. PetaDroid achieved a high detection rate (98-99% f1-score) under different evaluation settings with high homogeneity in the produced clusters (96%). We conducted a thorough quantitative comparison with state-of-the-art solutions MaMaDroid, DroidAPIMiner, MalDozer, in which PetaDroid outperforms them under all the evaluation settings.

Cryptography and Security

Pengbin Feng,Jianfeng Ma,Cong Sun,Xinpeng Xu,Yuwan Ma

DOI: https://doi.org/10.1109/access.2018.2844349

IF: 3.9

2018-01-01

IEEE Access

Abstract:With the popularity of Android smartphones, malicious applications targeted Android platform have explosively increased. Proposing effective Android malware detection method for preventing the spread of malware has become an emerging issue. Various features extracted through static and dynamic analysis in conjunction with machine learning algorithm have been the mainstream in large-scale malware identification. In general, static analysis becomes invalid in detecting applications which adopt sophisticated obfuscation techniques like encryption or dynamic code loading. However, dynamic analysis is suitable to deal with these evasion techniques. In this paper, we propose an effective dynamic analysis framework, called EnDroid, in the aim of implementing highly precise malware detection based on multiple types of dynamic behavior features. These features cover system-level behavior trace and common application-level malicious behaviors like personal information stealing, premium service subscription, and malicious service communication. In addition, EnDroid adopts feature selection algorithm to remove noisy or irrelevant features and extracts critical behavior features. Extracting behavior features through runtime monitor, EnDroid is able to distinguish malicious from benign applications with ensemble learning algorithm. Through experiments, we prove the effectiveness of EnDroid on two datasets. Furthermore, we find Stacking achieves the best classification performance and is promising in Android malware detection.

Muhammad Amin,Babar Shah,Aizaz Sharif,Tamleek Ali,Ki-Il Kim,Sajid Anwar

DOI: https://doi.org/10.1002/ett.3675

IF: 3.6

2019-07-15

Transactions on Emerging Telecommunications Technologies

Abstract:<p>Mobile and cell devices have empowered end users to tweak their cell phones more than ever and introduce applications just as we used to with personal computers. Android likewise portrays an uprise in mobile devices and personal digital assistants. It is an open‐source versatile platform fueling incalculable hardware units, tablets, televisions, auto amusement frameworks, digital boxes, and so forth. In a generally shorter life cycle, Android also has additionally experienced a mammoth development in application malware. In this context, a toweringly large measure of strategies has been proposed in theory for the examination and detection of these harmful applications for the Android platform. These strategies attempt to both statically reverse engineer the application and elicit meaningful information as features manually or dynamically endeavor to quantify the runtime behavior of the application to identify malevolence. The overgrowing nature of Android malware has enormously debilitated the support of protective measures, which leaves the platforms such as Android feeble for novel and mysterious malware. Machine learning is being utilized for malware diagnosis in mobile phones as a common practice and in Android distinctively. It is important to specify here that these systems, however, utilize and adapt the learning‐based techniques, yet the overhead of hand‐created features limits ease of use of such methods in reality by an end user. As a solution to this issue, we mean to make utilization of deep learning–based algorithms as the fundamental arrangement for malware examination on Android. Deep learning turns up as another way of research that has bid the scientific community in the fields of vision, speech, and natural language processing. Of late, models set up on deep convolution networks outmatched techniques utilizing handmade descriptive features at various undertakings. Likewise, our proposed technique to cater malware detection is by design a deep learning model making use of generative adversarial networks, which is responsible to detect the Android malware via famous two‐player game theory for a rock‐paper‐scissor problem. We have used three state‐of‐the‐art datasets and augmented a large‐scale dataset of opcodes extracted from the Android Package Kit bytecode and used in our experiments. Our technique achieves F1 score of 99% with a receiver operating characteristic of 99% on the bytecode dataset. This proves the usefulness of our technique and that it can generally be adopted in real life.</p>

telecommunications

Annamalai Narayanan,Mahinthan Chandramohan,Lihui Chen,Yang Liu

DOI: https://doi.org/10.1007/s10664-017-9539-8

IF: 3.762

2017-08-30

Empirical Software Engineering

Abstract:Many existing Machine Learning (ML) based Android malware detection approaches use a variety of features such as security-sensitive APIs, system calls, control-flow structures and information flows in conjunction with ML classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps’ behaviors with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterize several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevents them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localization. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps’ dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid’s unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Malicious code localization caters several important applications such as supporting human analysts studying malware behaviors, engineering malware signatures, and other counter-measures. Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localization experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall. Our work opens up two new avenues in malware research: (i) enables the research community to elegantly look at Android malware behaviors in multiple perspectives simultaneously, and (ii) performing precise and scalable malicious code localization.

computer science, software engineering

Ahsan Wajahat,Jingsha He,Nafei Zhu,Tariq Mahmood,Ahsan Nazir,Muhammad Salman Pathan,Sirajuddin Qureshi,Faheem Ullah

DOI: https://doi.org/10.3233/jifs-231969

2023-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Positive developments in smartphone usage have led to an increase in malicious attacks, particularly targeting Android mobile devices. Android has been a primary target for malware exploiting security vulnerabilities due to the presence of critical applications, such as banking applications. Several machine learning-based models for mobile malware detection have been developed recently, but significant research is needed to achieve optimal efficiency and performance. The proliferation of Android devices and the increasing threat of mobile malware have made it imperative to develop effective methods for detecting malicious apps. This study proposes a robust hybrid deep learning-based approach for detecting and predicting Android malware that integrates Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM). It also presents a creative machine learning-based strategy for dealing with unbalanced datasets, which can mislead the training algorithm during classification. The proposed strategy helps to improve method performance and mitigate over- and under-fitting concerns. The proposed model effectively detects Android malware. It extracts both temporal and spatial features from the dataset. A well-known Drebin dataset was used to train and evaluate the efficacy of all creative frameworks regarding the accuracy, sensitivity, MAE, RMSE, and AUC. The empirical finding proclaims the projected hybrid ConvLSTM model achieved remarkable performance with an accuracy of 0.99, a sensitivity of 0.99, and an AUC of 0.99. The proposed model outperforms standard machine learning-based algorithms in detecting malicious apps and provides a promising framework for real-time Android malware detection.

Rajesh Kumar,Zhang Xiaosong,Riaz Ullah Khan,Jay Kumar,Ijaz Ahad

DOI: https://doi.org/10.1145/3194452.3194465

2018-01-01

Abstract:The across the board reception of android devices and their ability to get to critical private and secret data have brought about these devices being focused by malware engineers. Existing android malware analysis techniques categorized into static and dynamic analysis. In this paper, we introduce two machine learning supported methodologies for static analysis of android malware. The First approach based on statically analysis, content is found through probability statistics which reduces the uncertainty of information. Feature extraction were proposed based on the analysis of existing dataset. Our both approaches were used to high-dimension data into low-dimensional data so as to reduce the dimension and the uncertainty of the extracted features. In training phase the complexity was reduced 16.7% of the original time and detect the unknown malware families were improved.

Yuyang Zhou,Guang Cheng,Shui Yu,Zongyao Chen,Yujia Hu

DOI: https://doi.org/10.1109/tifs.2024.3414339

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Machine learning (ML) has been widely adopted for Android malware detection to deal with serious threats brought by explosive malware attacks. However, it has been recently proven that ML-based detection systems exhibit inherent vulnerabilities to evasion attacks, which inject adversarial perturbations into a malicious app to hide its malicious behaviors and evade detection. To date, researchers have not found effective solutions for this critical problem. Although there are some similar works in the image classification field, most of those ideas cannot be borrowed due to the significant differences between images and Android apps. In this paper, we exploit Moving Target Defense (MTD) to continually change the attack surface of the protected detector and create uncertainty on the attacker side. We thus propose a novel Android malware detection framework named MTDroid, which fully leverages a seamless blend of dynamicity, diversity, and heterogeneity to mitigate the impact of evasion attacks. To this end, we develop a dynamic model pool to decrease the exposure time of a single classifier, by building and rebuilding multiple heterogeneous models with distinct data. We then generate diversified variant models to provide defensive measures against various attacks, and further improve robustness through ensemble learning. Specifically, we propose a two-stage selection algorithm to optimize the ensemble learning process, and design a hybrid update strategy to refresh the framework dynamically. The experimental results show that MTDroid significantly enhances the robustness against a wide range of attacks and outperforms the state-of-the-art methods upon three popular practical datasets.

Sen Chen,Minhui Xue,Lingling Fan,Shuang Hao,Lihua Xu,Haojin Zhu,Bo Li

DOI: https://doi.org/10.48550/arXiv.1706.04146

2017-10-31

Abstract:The evolution of mobile malware poses a serious threat to smartphone security. Today, sophisticated attackers can adapt by maximally sabotaging machine-learning classifiers via polluting training data, rendering most recent machine learning-based malware detection tools (such as Drebin, DroidAPIMiner, and MaMaDroid) ineffective. In this paper, we explore the feasibility of constructing crafted malware samples; examine how machine-learning classifiers can be misled under three different threat models; then conclude that injecting carefully crafted data into training data can significantly reduce detection accuracy. To tackle the problem, we propose KuafuDet, a two-phase learning enhancing approach that learns mobile malware by adversarial detection. KuafuDet includes an offline training phase that selects and extracts features from the training set, and an online detection phase that utilizes the classifier trained by the first phase. To further address the adversarial environment, these two phases are intertwined through a self-adaptive learning scheme, wherein an automated camouflage detector is introduced to filter the suspicious false negatives and feed them back into the training phase. We finally show that KuafuDet can significantly reduce false negatives and boost the detection accuracy by at least 15%. Experiments on more than 250,000 mobile applications demonstrate that KuafuDet is scalable and can be highly effective as a standalone system.

Cryptography and Security

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Lu Huang,Jingfeng Xue,Yong Wang,Junbao Chen,Tianwei Lei

DOI: https://doi.org/10.1016/j.ins.2024.120923

IF: 8.1

2024-07-21

Information Sciences

Abstract:Large language model (LLM) platform vendors have begun to make their models available for developers to build for different use cases. However, the emergence of LLM-based applications may raise security and privacy issues, and even LLM-based applications may be susceptible to malware. To strengthen LLM ecosystem security, it's crucial to develop malware detection algorithms for various platforms. We pay attention to Android malware because the Android platform is widely used and vulnerable. Existing single feature based-solutions cannot effectively describe applications, and aged models fail to detect new malware as Android platform develops and malware evolves. Therefore, existing detection methods are ill-suited for evolved malware that may manipulate LLM-based applications. To tackle the above problems, we design EvolveDroid, an anti-aging Android malware detection system. On the one hand, EvolveDroid utilizes different view features to reflect malware behavior from multiple dimensions, and maximizes the advantages of each feature type through feature aggregation. On the other hand, EvolveDroid learns good representation of applications through contrastive learning and generates pseudo labels by measuring the distance between unknown samples and existing samples for model updating. Extensive evaluations show that EvolveDroid outperforms state-of-the-art (sota) solutions in detection performance and slowing model aging.

computer science, information systems

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Rui Zhu,Chenglin Li,Di Niu,Hongwen Zhang,Husam Kinawi

DOI: https://doi.org/10.48550/arXiv.1806.04847

2018-12-11

Abstract:With the growth of mobile devices and applications, the number of malicious software, or malware, is rapidly increasing in recent years, which calls for the development of advanced and effective malware detection approaches. Traditional methods such as signature-based ones cannot defend users from an increasing number of new types of malware or rapid malware behavior changes. In this paper, we propose a new Android malware detection approach based on deep learning and static analysis. Instead of using Application Programming Interfaces (APIs) only, we further analyze the source code of Android applications and create their higher-level graphical semantics, which makes it harder for attackers to evade detection. In particular, we use a call graph from method invocations in an Android application to represent the application, and further analyze method attributes to form a structured Program Representation Graph (PRG) with node attributes. Then, we use a graph convolutional network (GCN) to yield a graph representation of the application by embedding the entire graph into a dense vector, and classify whether it is a malware or not. To efficiently train such a graph convolutional network, we propose a batch training scheme that allows multiple heterogeneous graphs to be input as a batch. To the best of our knowledge, this is the first work to use graph representation learning for malware detection. We conduct extensive experiments from real-world sample collections and demonstrate that our developed system outperforms multiple other existing malware detection techniques.

Cryptography and Security